Monday, May 16, 2016

GPG, or GnuPG, refers to the Gnu Privacy Guard utility. GPG is a freely available implementation of the OpenPGP
standard that was released by Werner Koch in 1999. The security and
privacy of data and individuals is an important topic in modern
culture. The OpenPGP standard allows GPG and other applications to work
together to secure and protect your data.
This series will explain the basic fundamentals of GPG and take you
step by step through using it. The OpenPGP standard includes the basic
features of confidentiality, integrity, and non-repudiation. By supporting this standard, GPG provides all three features.

Confidentiality

Confidentiality is the ability to keep contents of a file or
message private. To provide confidentiality, GPG can convert the
original contents of a file, called plaintext, to an encrypted version called ciphertext.
This can help keep your files secure on a computer, removable drives,
or when transmitted over the Internet. Think of it as using a secret
code to write a letter. Even if the letter is intercepted and the
envelope steamed open, the message cannot be read.
The example plaintext below is encrypted with the pass phrase “openme”. This is an example of a symmetric algorithm, where the same key is used for both encryption and decryption.

Integrity

Another function of GPG ensures the integrity
of a file. This feature is used by the Fedora Project to help ensure
the image you download is the one Fedora provides. In the case of
Fedora, both a checksum and a signature are generated.

A checksum is a set of digits that represent data, such as a file.
The checksum is generated by a special one-way mathematical algorithm.
The algorithm cannot be reversed to discover the original data from the
checksum. The algorithm is also designed
to make it exceedingly difficult for two sets of data to generate the
same checksum.

You will see this on the page that thanks you for downloading Fedora:

The text below is from the page you see when you click the Validate button on the page above. To verify this information and the image itself, follow the link for the instructions.

The signature also provides integrity
checking for the checksums. If the checksum values were to change, the
signature would no longer match. After verifying the signature, the hash
values can be used to compare to a checksum on the downloaded image
file. If they are the same, you can be certain the image is not tampered
with or corrupted.

Non-repudiation

Non-repudiation ensures that a
person cannot deny signing a file or message. If you always sign your
messages, someone receiving an unsigned message should suspect it is a
fake. The non-repudiation process requires a more complex
cryptographic system than the symmetric example shown earlier. Asymmetric or public-key cryptography makes this feature possible.

In a public-key system, each user has a public key, which they share as widely as possible; and a private key, which they protect as carefully as possible. Keyservers on the internet can collect and advertise public keys to make exchange of information easier.

To know if a signature is valid requires
use of a keyserver to retrieve the public key for that signature.
However, downloading or having a public key labeled as owned by someone
does not prove the key actually belongs to that person.

For this reason, keys must be verified
personally to be trusted. If you meet someone in person and verify their
identity, you can trust their key. This “web of trust,” which will be
discussed later in the series, allows you to trust a key from a person
you haven’t personally met.

Authenticity

When confidentiality, integrity and non-repudiation are combined, authenticity
is achieved. A file or message can be kept secret, verified to not have
been tampered with, and verified to come from the specified source.

This is the beginning of a series of
articles about using GPG. This series will show you how to create and
maintain keys with GPG, understand and use the web of trust, understand
and run key signing events, use GPG with email, and encrypt and sign
files.

Saturday, May 14, 2016

Microsoft Azure Cloud computing is a service made by Microsoft for
companies and also end-users who’d like to jump into cloud environment
quickly and effectively. Azure offers you many services not only virtual
machines. There is also networking services, application services,
websites, databases, mobile applications and many more.
How to get in touch which Microsoft Azure? If you are a lucky man,
maybe your company offers you an MSDN subscription as a benefit. It
comes also with 130Eur / month credit for Azure. The second option is to
visit Microsoft Azure trial request page (https://azure.microsoft.com/en-us/pricing/free-trial/)
where you are given 170Eur credit. This is far enough for one large
virtual machine for a month or 4-5 small machines for the same time. Or
you can spend it just for one small testing virtual machine (or other
service for much longer time).

Introduction and your first login

As Azure portal has nice tutorial itself, there is no need to
provide much information here. After your first login, you get
redirected to the dashboard where you can see your actual credit,
running services and their status. The portal is really well scalable
and customizable (similar to metro style in windows).

Your very first virtual machine

In time of this tutorial creation (1/19/2016 of intergalactic time),
there are two options for virtual machines in Azure portal. As you can
see in the picture below, there is Virtual machines (classic) and the
non-classic option. After further investigation, the non-classic one is
on-premise computing, something we don’t want now. So, let’s click on
the Virtual machines (classic) option in our menu.

If you already have any machines (probably not), you can see it
listed below in the next “slide”. For creating a new virtual machine,
simply click the “+ Add” button in the top menu of the slide. As this
slide-style menu in azure portal is pretty annoying, you won’t simply
get a list of available images. Therefore you must type the name of
the instance you’d like to install. For example, let’s install Ubuntu
server now. While you’re typing into the search field, you can see the
available instances for your search. There more versions of Ubuntu
server, typically the stable one, the latest one and some other
instances, even customized like ownCloud preinstalled server based on
Ubuntu OS. Let’s choose some of the newest instances, Ubuntu 15.10
for now (version may depend on the time you follow this guide). Now you
get a result of your search and you can choose the desired image.
The Basic configuration should show up.

Step 1: Fill in the basic information as Name of the
machine (this is not the hostname itself, just a name for you to
identify the machine), User name for login, Password or ssh key,
Resource group – this is very important as the hostname is going to be
the name of resource group and the Microsoft Azure prefix. And the last
but not least you can choose the region you wish your machine to be in.

To be honest, the location is somehow based on the registration
itself. But I am not sure how. I have available all locations from
Brasilia to China, and I have seen people with only Europe region
available having the same account preferences as I have.Step 2: The size of your virtual machine. Here you
can choose the resources. Notice the Azure offers you recommended
virtual machines (probably based on users’ choice). You can always click
on “View all” for all available options. Each virtual machine has
different parameters, number of cores, memory size, how many physical
disks are below your virtual disk, what’s the IOPS limit, SSD size of
drive and so on.
The basic difference between basic and standard machines lays in your
needs. The basic one is simply the basic. It has almost no additional
futures, you can’t scale it or request load balancing. This is the best
option for testing. On the other side, if you plan to use the machine in
productive environment, use the Standard one for better support and
reliability. Each machines has its cost on the bottom. Don’t forget the
Azure charges you for all outgoing traffic and IOPS (those charges are
really not high, typically few cents or euros per month).

Step 3: Configure optional futures (or future
options). This is something like advanced settings. The nice new feature
is choosing between classic HDD and SSD drive. However, you can use the
SSD drive only with Standard virtual machines. Network options a little
different here in Azure. As all the machines don’t have public IP, you
get just one for your virtual/cloud service. The easiest way to
understand it is imagine it as a router. The cloud service is a NAT
service which holds your public IP and DNS. All your machines are
assigned private IPs. Don’t worry, you can of course redirect all your
needed ports where needed. The last option is monitoring, which I find
not useful for us now. Monitoring keeps an eye on your machine and there
is even an option of auto scale later.Step4: Summary. Once again, you can review all your
settings here. You may now ask what about the hard drive? There is just
simple answer. The size of your drive is static and you can’t modify it
now. Every image has its own primary disk size. However, you can later
add more drivers to your machine and work with them.
When you are ready to hit the “ok” button, your machine starts to
provision. This may take a few minutes and you can check the progress in
the notification area.

Once the machine is up and running, you can login to it, change the
port redirections (aka Endpoints) and set many other features. One nice
feature is changing the size of your machine. Even if it’s Basic one,
you can stick to Standard or other Basic whenever you want.

Summary

This tutorial guides you through the basic setup of predefined images
by Microsoft. If you plan using the Azure in much more productive way,
come to see the next guide “Microsoft Azure Series - Creating virtual machine from custom image”
where you can find the way to create an image from your existing
machine and using it again to deploy a new one whenever you want.

I am using UFW to manage firewall on my
Ubuntu Linux 12.04/14.04 LTS server. I need to block a specific IP
address from accessing my server. How do I block an IP address using
ufw? UFW (Uncomplicated Firewall)
is a front-end for iptables and is particularly well-suited for a
single server or host-based firewalls. It is the default firewall
configuration tool for Ubuntu Linux. The UFW developed for a new
sysadmin with ease use in mind. It is a user-friendly way to create an
IPv4 or IPv6 based firewall to protect the server.

ufw block specific IP address

The syntax is:sudo ufw deny from {ip-address-here} to any To block or deny all packets from 192.168.1.5, enter:sudo ufw deny from 192.168.1.5 to any

Show firewall status including your rules

ufw block specific IP and port number

The syntax is:ufw deny from {ip-address-here} to any port {port-number-here} To block or deny spammers IP address 202.54.1.5 to port 80, enter:sudo ufw deny from 202.54.1.5 to any port 80 Again verify with the following command:$ sudo ufw status numbered Sample outputs:

Tip: UFW NOT blocking an IP address

UFW
(iptables) rules are applied in order of appearance, and the inspection
ends immediately when there is a match. Therefore, for example, if a
rule is allowing access to tcp port 22 (say using sudo ufw allow 22), and afterward another Rule is specified blocking an IP address (say using ufw deny proto tcp from 202.54.1.1 to any port 22),
the rule to access port 22 is applied and the later rule to block the
hacker IP address 202.54.1.1 is not. It is all about the order. To avoid
such problem you need to edit the /etc/ufw/before.rules file and add a section to “Block an IP Address” after “# End required lines” section.$ sudo vi /etc/ufw/before.rules Find line that read as follows: